Data Protection during the Covid-19 pandemic
Structure and governance
The usual data processing that takes place across the University, and which is explained in greater detail in the data protection notices available here, continues to happen during the pandemic. However, there is some processing of personal and special category data (relating to your health and ethnicity) that is completed specifically as part of the University's preparations efforts to reassure staff, students and visitors to campus that the University is doing its best to:
- take care of the community
- help identify employees, students or visitors who may be experiencing COVID-19 symptoms
- provide real-time infection data on the University population
The purpose of this page is to provide as much information as possible about why this data is needed, who it will be shared with and how long it will be kept.
This information will be relevant to all of the processing involved in carrying out Covid testing and keeping buildings around the campus open, but details relating to specific initiatives can be found under the separate headings below. This article will be updated as often as necessary but if you have any questions which are not answered here, please feel free to send an email to the email@example.com email address or telephone +44 (0)23 92843642 or +44 (0)23 92863103.
It is always necessary to have a legal basis for processing personal data, and in relation to the personal data that could be processed under the proposed initiatives, for example, name and contact details, it is believed those most appropriate are that the processing is necessary:
- For compliance with a legal obligation to which the University is subject (H&S legislation) (UK GDPR Article 6(1)(c))
- For the performance of a task carried out in the public interest (UK GDPR Article 6(1)(e))
- For the purposes of the legitimate interests pursued by the University (UK GDPR Article 6(1)(f))
Where we also process special category data (health or ethnicity data), the appropriate legal bases are that the processing is necessary:
- For the purposes of carrying out the obligations and exercising specific rights of the University or of individual data subjects in the field of employment and social security and social protection law (UK GDPR Article 9(2)(b) and Data Protection Act 2018 Schedule 1 Part 1, s1(1)(a))
- For reasons of public interest in the area of public health such as protecting against serious cross-border threats to health (UK GDPR Article 9(2)(i))
- For reasons of public interest in the area of public health and is carried out by or under the responsibility of a health professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law (Data Protection Act 2018, Schedule 1, Part 1(3))
The University is committed to only processing the data that it is necessary to process to achieve the objectives of identifying any possible infections and providing reassurance to staff, students and visitors of the steps being taken to prevent a rise in infections. This data will (where possible) be held electronically for 21 days in secure, access controlled areas of University systems and securely deleted when the data is no longer needed. If it is necessary to keep data in a paper form [for example, check-in details for campus cafes when we are able to open these spaces], this will be held securely in locked cabinets and shredded after 21 days.
The only exception to retaining data for only 21 days may be when data can be used for research purposes in line with Article 89(1) of the UK GDPR. Anonymised records, from which individuals cannot be identified can be used for statistical analysis. However, when an individual signs up for a test, they will be given the option to provide their consent for the data collected by the University to be retained for research purposes. Generally, this will allow researchers to contact individuals to ask for their involvement in a research project and for their consent for their data to be used for that purpose.
The majority of the personal data processed will be retained within the University for University purposes (within Human Resources, Occupational Health, Health & Safety, and by line managers). It may be necessary to share some personal data with external organisations, for example, the NHS, Public Health England (PHE) or the Department for Education (DfE) via the Office for Students (OfS), but this will be if it is required by those organisations and only the minimum data necessary will be shared via secure electronic means.
The University has an agreement with Portsmouth City Council (PCC), that the PCC will share data it receives from Public Health England with the University, in order to identify individuals within the University community with, or at risk of, Covid-19 with the view to contacting, logging, screening and providing services to help those individuals.
In line with the requirement to always only process the minimum necessary amount of personal data, if an incident occurs within the University where it is believed / known that you have had contact with an individual who has contracted the Covid-19 virus, you will be informed of that fact and any actions you may need to take to protect yourself. You will not usually be told the name of the individual who has contracted the virus.
Data Subject rights
Everyone has the right to access their data held by the University (a Subject Access Request) at any time. The University has a calendar month in which to respond to a Subject Access Request, but if the only data you require is any that may have been collected as part of the Covid-19 initiatives, it will be possible to obtain that faster than usual. Please use the contact details below to discuss this access to your data and any other issues you wish to raise about your personal data at this time.
If you are a member of staff, possibly processing special category data that you have not processed before, then please ensure you refresh your training in data protection and information handling practices. Please go to the University’s Moodle site to take the relaunched Information Governance training.
NHS Test and Trace
The University may be required to provide information to the NHS Test and Trace service if contacted by that organisation, in relation to someone who has attended the University campus and who has tested positive for COVID-19.
If we are asked for information relating to staff and students, we will provide details such as their name and contact details, and dates and times when those individuals were on campus where this is known, for example, Library turnstile data, attendance monitoring records or timetable data.
We may also provide the contact details of individuals with whom that member of staff may have had contact, if requested.
We will record the following data relating to contractors and other visitors to the University campus, for the purposes of providing this data to the NHS Test and Trace programme if required, in line with Government requirements:
- Name of the individual or of the leader of a group plus the number of individuals in the group
- Contact telephone number
- Date of the visit plus, is possible, arrival and departure times
- Details of staff members with whom the group interacted
This data will be provided on behalf of the University by the Health and Safety Covid-19 team within the University, but staff should be aware that if they are contacted directly by someone asking for this information, it would only be a valid enquiry if:
- a telephone call was received from 0300 013 5000, which is the NHS Test and Trace programme central number
- a text was received from NHS Tracing
- you are advised to sign into the NHS Test and Trace webpages, but only through searching for that website, not entering a URL provided by anyone
If you believe the request is valid, it should be passed to the Health and Safety team via the firstname.lastname@example.org email address to answer.
If you believe the request is a possible scam, please refer it to the IS Service desk on ext. 7777 or email@example.com.
The temperature-screening programme aims to identify employees, students, contractors and visitors to the University who may be experiencing a raised temperature, one of the possible COVID-19 symptoms, and to monitor statistics of those scanned and those showing a raised temperature, which might be an indicator of COVID-19.
The Temperature screening programme has 2 phases.
In the first phase (thermal imaging), no personal data is collected. A scan of an individual approaching the scanner will be taken and a message displayed on a screen visible only to the person approaching the scanner. The image and message displayed will not be recorded in a way that personally identifies any individual. The only record kept will be an anonymous record of how many scans are completed and how many of the two messages (elevated temperature or no elevated temperature) were displayed.
If your temperature is below 37.8 degrees Celsius (100 degrees Fahrenheit) you will be able to enter the building.
If your temperature is above 37.8 degrees Celsius (100 degrees Fahrenheit) an alert will sound and you will be shown a message explaining the next steps you need to take. If an alert is sounded twice, you will need to return home to follow the guidance on self-isolating. You will need to contact the University’s Health and Safety Team, when it may be necessary to discuss and record personal and special category data (the Second phase of the programme). The Health and Safety Team will, however, only keep a record of relevant details collected in this phase. This will include, but is not limited to, the name and email address of any individual that notifies Health and Safety that they are returning home to self-isolate following an alert of an elevated temperature as signalled by the scanner, although if the individual volunteers any further data this may also be processed if it is relevant to their situation. The notification that an individual is self-isolating will be recorded, as will the fact that the individual has notified the University’s Health and Safety Team of a positive COVID-19 test if this is then confirmed. This information may be provided to that individual's line manager, the Human Resources Department and the Estates and Campus Services Department.
The University provides a proactive testing programme for staff and students who wish to be tested for Covid-19, even though they may not be experiencing any Covid symptoms (asymptomatic testing). Staff and students can take a Lateral Flow Device (LFD) test.
Individuals are asked to book an appointment at the testing site, and on arrival at the site, will be asked to complete a data sheet which will include their name, staff / student name and ID number, phone number and email address.
The LFD screening tests are administered by a qualified member of University nursing staff and an agency nurse, as well as supervised nursing students, who will associate the results with the personal data listed above, in order to provide the individual with their results. The results of the test will be shared directly with the individual tested and copied to the Health and Safety Covid-19 team so that an overview of the infection rate within the University can be assessed.
[Whilst the need for a PCR (Polymeraise Chain Reaction) test is not currently required by the UK government, the University has offered these previously and may do so again, if the need for one recurs. Therefore, the following information is provided to explain previous processes and in case the test is required again in the future. If the screening test suggests that an individual might have Covid-19, they will then be asked to return to the testing site for a Polymeraise Chain Reaction (PCR) test which will be sent to QA hospital for processing, along with the personal data already provided by the individual, so that the hospital can provide the individual with the results of the test. If a member of staff tests positive for Covid-19 this data will be provided to the University’s Occupational Health department to follow up with the individual.
Please send an email to firstname.lastname@example.org or phone +44 (0)23 92843642 or +44 (0)23 92863103 if you have any remaining queries about how your data may be processed in relation to COVID-19 precautions.